I am a security architect. My job is not to provide the best in class security,just in case you didn’t get it,MY JOB IS NOT TO PROVIDE BEST IN CLASS SECURITY. I strive to provide the RIGHT LEVEL of security based on the risk,always taking into account the usability and cost of the solution I am recommending. There is a reason why enterprise architects and people who run the business and pay the bills sometimes hate the security types. More often than not,we try to recommend super duper secure solutions which cost a fortune and are mostly unusable. We love 8…oops is it 12 or 16 characters now passwords with alphanumeric,upper case,lower case characters. Doesn’t matter if nobody,includng us could remember them;and we want them to change those every other week ?. We love to spread fear and create confusion. My brother called me last night asking what can he do to protect his social security number;some security type had told him that last year 5 million identities were stolen in USA alone. Who comes up with these absurd numbers ?
On a serious note,when was the last time you thought about the number of help desk calls that would be generated by the SECURE solutions we are recommending (THINK COST !). Or the poor people who would be forced to write all their passwords on post-its (THINK USABILITY !). I have always thought of security design as an optimization problem guided by the level of security required based on the risk,but never forgetting the cost and usability. We have to make all of these factors OUR concerns when we design security. I always have my compass to guide me as an architect. You can also see it below. Sometimes a simple solution which can be effectively used by the majority of the users without much hassle and with little cost is better. Perhaps it is not always there,but do we always look for that,strive for that ? Sometimes less is more…
This morning,my Windows PC at work asked me to reset my password or it will expire (again) in 19 days! I THOUGHT I JUST CHANGED THAT! And I am running out of passwords I can easily remember that have upper case + lower case + numbers + characters at the same time! Not to mention that I use different system that use separate passwords,and they also require similarly complex passwords,and they want me to REMEMBER then AND change them all the time
Yes,there are tools to help people in my situation,but I completely agree with you in that security should be a balance between risk,cost and usability. Most techies get too caught up in the (fun) technical stuff.